Atlassian Guard - Attribute mappings for SAML SSO and SCIM user provisioning
Platform Notice: Cloud - This article applies to Atlassian products on the cloud platform.
Summary
Atlassian Guard provides the Single Sign-on (SSO) feature, which empowers the SAML protocol, and the user provisioning feature, which uses the SCIM protocol.
An email address is one of the primary identifiers of Atlassian Cloud accounts, and mapping inconsistent values can result in creating duplicate accounts and login problems.
If you are using both SAML SSO and the user provisioning (SCIM) features, make sure you map the same IDP attribute to the following SAML and SCIM attributes respectively.
| Attribute name | |
|---|---|
| SAML SSO | NamelD |
| SCIM | emails[type eq "work"].value |
Good
| Attribute name | Account attribute | |
|---|---|---|
| SAML SSO | NamelD | user.email |
| SCIM | emails[type eq "work"].value | user.email |
Bad
| Attribute name | Account attribute | |
|---|---|---|
| SAML SSO | NamelD | user.email |
| SCIM | emails[type eq "work"].value | UPN |
Environment
- Atlassian Cloud
- Atlassian Guard
Solution
In case you need to make change to SAML or SCIM behaviour and if it involve updating the mappings, involve your IDP admin and make sure both SAML - NameID and SCIM - emails[type eq "work"].value point to the same user attribute in email format.